|Previous Section||Back to Table of Contents||Lords Hansard Home Page|
However, we have listened to the arguments made in favour of further extending the scope of assessment notices to the private sector. We recognise that there are genuine concerns about the private sector's handling of personal data-indeed, the noble Baroness, Lady Miller, referred to them-and that there are certain categories of private-sector data controller whose circumstances merit the application of assessment notices.
Government Amendments 198A, 199A and 199C address those scenarios. We remain unpersuaded that the assessment notice regime should apply automatically to all data controllers. Such an approach would be a little excessive and impose disproportionate burdens on business. Instead, our amendments enable the Secretary of State to designate by order certain descriptions of private-sector data controller as liable for assessment notices.
The amendments provide the Secretary of State with the power to make an order following a recommendation from the Information Commissioner. Where the Secretary of State was minded to accept such a recommendation, we would be able to proceed to make an order, which would be subject to the affirmative procedure, only following consultation with the affected sectors. Such consultations would be accompanied by a full impact assessment. The Secretary of State and the Information Commissioner will have to be satisfied that designation is necessary, taking into account the nature and quantity of data under the control of such persons and the damage or distress that may be caused by a contravention by such persons of the data protection principles.
This amendment does not provide for the designation of a particular data controller but for a description of a data controller. This means that the designation would not single out or list individual data controllers but would provide a description of a class of data controller-for example, credit reference agencies, which have been referred to in the debate-as liable to assessment notices. In addition, we are introducing a requirement for the Secretary of State to review, at least every five years, whether it continues to be appropriate for a public authority and necessary for a description of a private-sector data controller to be subject to the assessment notice regime.
Amendment 199D in the name of the noble Lord, Lord Henley, would amend government Amendment 199C and would require the Information Commissioner
21 July 2009 : Column 1564
Amendments 194, 196, 198 and 199 in the name of the noble Baroness, Lady Miller, similarly seek to extend the categories of data controllers who are liable to an assessment notice. Amendment 199, for example, would make assessment notices directly applicable to public authorities without the need for an order. However, we do not consider such an extension across the whole public sector to be justified. The definition of "public authority" in the Bill relies on an order being made. Without an order, there would be uncertainty as to exactly which persons are covered. I hope that, having had an opportunity to consider our amendments and to hear what I briefly had to say about them, the noble Baroness may be persuaded that they offer a more balanced and proportionate approach and that she will not press her amendments to a vote today.
Government Amendments 199B, 200A and 200B in large measure simply re-order existing provisions in Clause 156, but there is one notable change in that judges are added to the list of persons excluded from the assessment notice regime. The Committee will of course appreciate the very special constitutional position of the judiciary that has led to us tabling this amendment. Currently, the only inspection regime involving the judiciary is provided for in Section 59 of the Courts Act 2003. That is limited to the inspection of the system that supports the carrying on of the business of the courts and the services provided for those courts. It expressly does not permit scrutiny of anyone exercising judicial discretion or making judicial decisions.
For judicial office-holders to be subject to the assessment notice procedure while exercising their professional judicial functions would compromise the constitutional principle of judicial independence, which this and every Government rightly have a statutory duty to uphold. There can be no disagreement that judicial impartiality and freedom from improper influence are at the heart of the fair administration of justice in this country. The Information Commissioner agrees with our making this special exception.
I turn now to sanctions for non-compliance with an assessment notice. Again, we have listened to the representations in the other place on this issue. The case for some express sanction in the event of non-compliance is reinforced now that private-sector data
21 July 2009 : Column 1565
We have taken a different approach to enforcement from that taken in Amendments 195, 200, 201, 203, and 204, tabled by my noble friend Lord Dubs and the noble Baroness, Lady Miller. The key difficulty with treating the failure to comply with an assessment notice as a contempt of court or as an offence is that ultimately it does not provide the Information Commissioner with access to the premises in question, which is exactly what a warrant does; it provides the Information Commissioner with access. The former Information Commissioner agreed with us that this would not provide him with the access he believed was required.
Amendment 202, in the name of the noble Baroness, Lady Miller, would provide for an enforcement mechanism through the issuing of a warrant under Schedule 9 to the Data Protection Act to allow the Information Commissioner access to the data controller's premises. I hope that noble Lords will agree that our amendments are intended in the same spirit and achieve a similar end.
Part 5 of Schedule 18 amends Section 55A of the Data Protection Act to prevent the imposition of a civil monetary penalty based on information obtained from either a good practice assessment or an assessment notice. Amendment 206 would remove this exemption, which we believe will provide a strong incentive for data controllers to consent to a good practice assessment. This exemption will not-I emphasise, not-provide immunity to data controllers from all enforcement action in relation to breaches that might be discovered during a good practice assessment or an assessment notice. The commissioner will still be able to issue an enforcement notice under Section 40 of the Data Protection Act to compel the data controller to comply with their data protection obligations if he discovers a breach of the data protection principles during any of these assessments.
As the noble Lord, Lord Henley, reminded us, these government amendments follow consultations that my ministerial colleague, Michael Wills, had with the Information Commissioner and the opposition spokespersons in the other place. I hope that the House will agree that this package of government amendments provides a workable scheme to bring those data controllers who need to be subject to additional scrutiny within the assessment notice regime and to provide the Information Commissioner with sufficient remedies where a data controller fails to comply with an assessment notice. In due course, I shall move the government amendments.
The noble Baroness asked me, harking back to last year and the Criminal Justice and Immigration Act, why the increased penalties in those Acts are not yet
21 July 2009 : Column 1566
Baroness Miller of Chilthorne Domer: Let me deal with that last point first. That is very disappointing news because when I went to the launch of the Information Commissioner's annual report this year, one of the main points was that the office welcomed the new legislation going on to the statute book last year to allow this power to the Secretary of State so that he or she could make an order which would bring in a satisfactory penalty. But it was very disappointed that these orders had not been brought in. I understand that the Government may be monitoring the situation with the Information Commissioner's office. But its reaction to the lack of these orders seems to be at variance with the Government's view that the orders are not necessary.
Lord Bach: I realise that the answer I have given the noble Baroness is short and may not be full enough. If she will allow me, I will write to her with fuller reasons on why these orders have not been brought in.
Baroness Miller of Chilthorne Domer: I should be most grateful for that. On the substance of my other amendments and the government amendments, I recognise that this is an evolutionary process. The government amendments are a couple of steps in the right direction of evolution. Therefore, the statutory regime surrounding the retention of data and the way in which they are managed is keeping pace with the technological capabilities, which is what has not happened to date. I am very pleased to see that we have more steps to ensure that citizens in the UK can feel a little more confident that their private data are regarded as valuable, precious and something that should be looked after properly. These steps are in the right direction. I beg leave to withdraw the amendment.
(c) a person of a description designated for the purposes of this section by such an order."
"(11A) Where a public authority has been designated by an order under subsection (2)(b) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be appropriate for the authority to be designated.
(a) the Commissioner has made a recommendation that the description be designated, and
(b) the Secretary of State has consulted-
(i) such persons as appear to the Secretary of State to represent the interests of those that meet the description;
(ii) such other persons as the Secretary of State considers appropriate.
(11C) The Secretary of State may not make an order under subsection (2)(c), and the Commissioner may not make a recommendation under subsection (11B)(a), unless the Secretary of State or (as the case may be) the Commissioner is satisfied that it is necessary for the description of persons in question to be designated having regard to-
(a) the nature and quantity of data under the control of such persons, and
(b) any damage or distress which may be caused by a contravention by such persons of the data protection principles.
(11D) Where a description of persons has been designated by an order under subsection (2)(c) the Secretary of State must reconsider, at intervals of no greater than 5 years, whether it continues to be necessary for the description to be designated having regard to the matters mentioned in subsection (11C)."
(1) A time specified in an assessment notice under section 41A(5) in relation to a requirement must not fall, and a period so specified must not begin, before the end of the period within which an appeal can be brought against the notice, and if such an appeal is brought the requirement need not be complied with pending the determination or withdrawal of the appeal.
(2) If by reason of special circumstances the Commissioner considers that it is necessary for the data controller to comply with a requirement in an assessment notice as a matter of urgency, the Commissioner may include in the notice a statement to that
21 July 2009 : Column 1568
(a) any communication between a professional legal adviser and the adviser's client in connection with the giving of legal advice with respect to the client's obligations, liabilities or rights under this Act, or
(b) any communication between a professional legal adviser and the adviser's client, or between such an adviser or the adviser's client and any other person, made in connection with or in contemplation of proceedings under or arising out of this Act (including proceedings before the Tribunal) and for the purposes of such proceedings.
(a) a judge,
(b) a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or
(c) the Office for Standards in Education, Children's Services and Skills in so far as it is a data controller in respect of information processed for the purposes of functions exercisable by Her Majesty's Chief Inspector of Education, Children's Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000.
(a) a justice of the peace (or, in Northern Ireland, a lay magistrate),
(b) a member of a tribunal, and
(c) a clerk or other officer entitled to exercise the jurisdiction of a court or tribunal;
and in this subsection "tribunal" means any tribunal in which legal proceedings may be brought."
(a) before the end of the period of three years beginning with the date of the commission of the offence, and
(b) before the end of the period of six months beginning with the date on which evidence which the prosecutor thinks is sufficient to justify the proceedings comes to his knowledge.
(a) a certificate signed by or on behalf of the prosecutor and stating the date on which such evidence came to his knowledge shall be conclusive evidence of that fact, and
(b) a certificate stating that matter and purporting to be so signed shall be treated as so signed unless the contrary is proved.""
Lord Dubs: This amendment sets out to put right what I think has been a mistake in the way in which various pieces of legislation have been drafted. I shall seek to persuade the Government that it is a mistake in order that they can use my amendment as an opportunity to put things right. This amendment does not come from the Joint Committee on Human Rights. It comes with the help of the freedom of information campaign. Under Section 77 of the Freedom of Information Act, it is an offence for a public authority or an official to deliberately destroy or alter a record which has been requested if the intention in doing so is to prevent the release of information to which the requester is entitled. That is fairly clear.
The offence also applies to the deliberate destruction of a record requested under the Data Protection Act, which gives individuals the right to obtain personal information about themselves. The offence is committed only where the act is deliberate; that is, where the record is deliberately destroyed and amended after being requested with the intention of frustrating the applicant's legal right of access. An official who accidentally destroys the record or who does so in accordance with the authority's established record destruction policy commits no offence. So there are safeguards.
The offence can be tried only in a magistrates' court where the maximum fine is level 5 on the standard scale, £5,000. There is no provision for this offence to be tried on indictment. Your Lordships will think, "So far, so good. Why do we need the amendment?". I shall explain. Section 127(1) of the Magistrates' Courts Act 1980 prohibits a prosecution from being brought more than six months after the offence has been committed. This provision would make it virtually impossible to bring a successful prosecution for the Section 77 offence under the Freedom of Information Act. Therefore, with a very tight time limit, I contend that it is virtually impossible to bring a successful prosecution.
The deliberate destruction of requested records is likely to be detected only during an investigation by the Information Commissioner, which will rarely even have started within six months of the offence. There are three reasons why there might be a delay which would take up the whole of the six months within which a prosecution has to be brought for it to be successful.
For example, there may be a delay in responding to a freedom of information request. Although the Act requires an authority to respond to a request within 20 working days, it permits an unspecified reasonable extension where the authority has to consider the disclosure of exempt information under the Act's public interest test. The commissioner recommended that the extension should normally be limited to an additional 20 working days and should never exceed 40 working days. In practice, it sometimes runs to many months. The commissioner has described how the National
21 July 2009 : Column 1570
The second example is where the requester is dissatisfied with the authority's response to a request. He or she cannot complain directly to the Information Commissioner, but must first ask the authority to reconsider the matter under its own internal complaints procedure, and there is no statutory time limit for this process. The commissioner said that it should normally be completed within 20 working days, with the outside being 40 working days. In practice, the process sometimes takes substantially longer. On one occasion, DBERR-I find the names of government departments difficult at times; they do not trip off the tongue at all, and it was easier in the old days-took 21 months to complete an internal review, only doing so after the commissioner's intervention. And that is a government department.
|Next Section||Back to Table of Contents||Lords Hansard Home Page|